From b326fae5bdc21d2a2a9de1b30e34925f66749cfb Mon Sep 17 00:00:00 2001
From: Matt Strapp <matt@mattstrapp.net>
Date: Thu, 14 Apr 2022 13:36:19 -0500
Subject: Path traversal mitigation

Signed-off-by: Matt Strapp <matt@mattstrapp.net>
---
 src/routes/api.ts | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'src/routes')

diff --git a/src/routes/api.ts b/src/routes/api.ts
index 4b10121..2829a39 100644
--- a/src/routes/api.ts
+++ b/src/routes/api.ts
@@ -214,9 +214,7 @@ api
     if ((await verifyFile(path, res)) !== true) return;
     // Read the file and send it to the client
     res.type('text/csv');
-    // Snyk error mitigation, should be fine since tmp is private and the simple regex above should prevent path traversal
-    // deepcode ignore PT: This is probably mitigated by the regex
-    return res.sendFile(path);
+    return res.sendFile(path.replace('/~', ''));
   })
   // Fallback
   .all(csrf, (req: Request, res: Response) => {
-- 
cgit v1.2.3